Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-1sv8ksvrb1
Target pgxmuwgx.exe
SHA256 467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
Tags
upx execution
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38

Threat Level: Likely benign

The file pgxmuwgx.exe was found to be: Likely benign.

Malicious Activity Summary

upx execution

UPX packed file

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:55

Reported

2024-11-10 21:55

Platform

win7-20240903-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:55

Reported

2024-11-10 21:57

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26

C:\Windows\system32\mode.com

mode con: cols=90 lines=26

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/2176-0-0x00007FF7A7250000-0x00007FF7A88D3C27-memory.dmp

memory/3984-1-0x00007FFE75C13000-0x00007FFE75C15000-memory.dmp

memory/3984-2-0x0000020FF3F80000-0x0000020FF3FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycgfi2dm.vlt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3984-8-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp

memory/3984-13-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp

memory/3984-15-0x0000020FF3F70000-0x0000020FF3F7A000-memory.dmp

memory/3984-14-0x0000020FF3FB0000-0x0000020FF3FC6000-memory.dmp

memory/3984-16-0x0000020FF6640000-0x0000020FF6666000-memory.dmp

memory/3984-19-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 958ec9d245aa0e4bd5d05bbdb37475f4
SHA1 80e6d2c6a85922cb83b9fea874320e9c53740bd9
SHA256 a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d
SHA512 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8c4d2c53fbcc4a8d45ccbce9a278d86
SHA1 22a03402aab2996381690bbd9cc11c3a3e087802
SHA256 87e09cc730f24a2bd77d279b262d9a3110346d6f119e344d2c34f17a804754e3
SHA512 e6841e0b52b3b6df6a5baba347b64458433ef7d0fec1e2e6d3f0939379a62aa1bf85cab8a12cef667b41c5fe7a66b66e81f4f829ec0f3b3975848bcad83d8242

memory/2176-33-0x00007FF7A7250000-0x00007FF7A88D3C27-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 21:55

Reported

2024-11-10 21:58

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26

C:\Windows\system32\mode.com

mode con: cols=90 lines=26

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4192-0-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp

memory/4232-1-0x00007FF8E6F43000-0x00007FF8E6F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ue23f4p1.y5o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4232-11-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp

memory/4232-12-0x00000152CFC20000-0x00000152CFC42000-memory.dmp

memory/4232-13-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp

memory/4232-14-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp

memory/4232-15-0x00000152CFEA0000-0x00000152CFEB6000-memory.dmp

memory/4232-16-0x00000152CFE90000-0x00000152CFE9A000-memory.dmp

memory/4232-17-0x00000152D0090000-0x00000152D00B6000-memory.dmp

memory/4232-20-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 4e50615fbb2682d496773c1e3985a98e
SHA1 67413638787fdae9a8fb43c128811faf7dabc8ce
SHA256 a13af49afd14efc8d114fbfd0ae7311482cd7af29c3d0cfc2b18be76c872bf94
SHA512 852df909000e14c6e1c35bbff1602ddcf04756e17eee788cd1c78131e18e3b0f7034aa5b29e3c39957d667719956b3876fd001269e4fb9672a8db2e89ae8c79b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a3101f3c4c89b36ec469cee45b28487
SHA1 c188454a1dcadcf103d53b4275f509165abd2088
SHA256 62b50d6eb485d2b12f24bd64578560fbfc3b6fc97434682573fe3da44cb99f83
SHA512 c44724cc276f3ad139857c40b7edf19e01eb0d1b2d66f1d8f74449ed3e2503fb1fff65984cba85b8f921f8bf96928cc7f3d194230720412eb731faff991ec959

memory/4192-33-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp

memory/4192-35-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 21:55

Reported

2024-11-10 21:57

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe

"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26

C:\Windows\system32\mode.com

mode con: cols=90 lines=26

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3540-0-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp

memory/3488-1-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxvqjziz.ncr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3488-11-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

memory/3488-10-0x000001CDE2EC0000-0x000001CDE2EE2000-memory.dmp

memory/3488-12-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

memory/3488-13-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

memory/3488-14-0x000001CDE3060000-0x000001CDE307C000-memory.dmp

memory/3488-15-0x000001CDE3050000-0x000001CDE305A000-memory.dmp

memory/3488-16-0x000001CDE3470000-0x000001CDE3496000-memory.dmp

memory/3488-19-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 c4004e022f299839235e0b9b9eff21cb
SHA1 53cb70317be1181667d198f11bb38c5283fdf604
SHA256 b0520284a49198908379c3bce330cb4428559866de87e5a5cfb6eac510605a5f
SHA512 5190c53fa27055789d6cc66dd3b1f822aa7a1c75b27a568c3f354d743531efe5ec0f9fb88fe83a5253250201646524d783d75fc1c25cf8160d80090455f7fa89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7d11fdb1cefb8bc8e6c7d4c0b8a4f486
SHA1 51f70797f2fddd0817f14057f4818c5875be9057
SHA256 30da8122353bf6033e7e90b037c11c053739cb61f46eb89d552ddea152637331
SHA512 1ab45860498b90f09bd438dc907dc7933e180268cb5198767ffc6faf1de661199dd7933c714e3180476bd65cd9af386f45ae5cd7f0075ed425c0263b63838601

memory/3540-32-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp